b'Audit Report\n\n\n\n\nOIG-10-025\nManagement Letter for Fiscal Year 2009 Audit of the\nOffice of the Comptroller of the Currency\xe2\x80\x99s Financial Statements\n\n\n\nDecember 22, 2009\n\n\n\n\n Office of\n Inspector General\n Department of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            December 22, 2009\n\n\n\n            MEMORANDUM FOR JOHN C. DUGAN\n                           COMPTROLLER OF THE CURRENCY\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:               Management Letter for Fiscal Year 2009 Audit of the Office\n                                   of the Comptroller of the Currency\xe2\x80\x99s Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of the Comptroller of the Currency\xe2\x80\x99s (OCC) Fiscal Year 2009\n            financial statements. Under a contract monitored by the Office of Inspector\n            General, GKA, P.C. (GKA), an independent certified public accounting firm,\n            performed an audit of the financial statements of OCC as of September 30, 2009\n            and for the year then ended. The contract required that the audit be performed in\n            accordance with generally accepted government auditing standards; applicable\n            provisions of Office of Management and Budget Bulletin No. 07-04, Audit\n            Requirements for Federal Financial Statements, as amended; and the GAO/PCIE\n            Financial Audit Manual.\n\n            As part of its audit, GKA issued and is responsible for the accompanying\n            management letter that discusses certain matters involving internal control over\n            financial reporting and its operation that were identified during the audit, but were\n            not required to be included in the auditor\xe2\x80\x99s reports.\n\n            In connection with the contract, we reviewed GKA\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where GKA did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Ade Bankole, Manager, Financial Audits at\n            (202) 927-5329.\n\n            Attachment\n\x0c                 gka, P.C.                                       Certified Public Accountants | Management Consultants\n\n\n\n\n                 OFFICE OF THE COMPTROLLER OF THE CURRENCY\n                             MANAGEMENT LETTER\n                                FISCAL YEAR 2009\n\n\n                                             October 30, 2009\n\n\n\n\n                                                         Member of the American Institute of Certified Public Accountants\n\n1015 18th Street, NW \xc2\xb7 Suite 200 \xc2\xb7 Washington, DC 20036 \xc2\xb7 Phone: 202-857-1777 \xc2\xb7 Fax: 202-857-1778 \xc2\xb7 WWW.gkacpa.com\n\x0cgka, P.C.                                                     Certified Public Accountants | Management Consultants\n\n\n\n1015 18th Street, NW\n      Suite 200           Inspector General, Department of the Treasury, and\n  Washington, DC          the Comptroller of the Currency:\n        20036\n                          We have audited the balance sheet as of September 30, 2009 and the related\n  Phone: 202-857-1777     statements of net cost, changes in net position, and budgetary resources for the\n   Fax: 202-857-1778\nWebsite: www.gkacpa.com   year then ended, hereinafter referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d, of the Office\n                          of the Comptroller of the Currency (OCC) and have issued an unqualified\n                          opinion thereon dated October 30, 2009. In planning and performing our audit\n                          of the financial statements of the OCC, we considered its internal control over\n                          financial reporting in order to determine our auditing procedures for the\n                          purpose of expressing our opinion on the financial statements and not to\n                          provide assurance on internal control. We have not considered the internal\n                          control since the date of our report.\n\n                          During our audit we noted certain matters involving OCC\xe2\x80\x99s information\n                          technology general controls that are presented in this letter for your\n                          consideration. The comments and recommendations, all of which have been\n                          discussed with the appropriate members of OCC management, are intended to\n                          improve OCC\xe2\x80\x99s information technology general controls or result in other\n                          operating efficiencies.\n\n                          OCC management\xe2\x80\x99s responses to our comments and recommendations have\n                          not been subjected to the auditing procedures applied in the audit of the\n                          financial statements and, accordingly, we do not express an opinion or provide\n                          any form of assurance on the appropriateness of the responses or the\n                          effectiveness of any corrective action described therein.\n\n                          We appreciate the cooperation and courtesies extended to us during the audit.\n                          We will be pleased to meet with you or your staff, at your convenience, to\n                          discuss our report or furnish any additional information you may require.\n\n\n\n\n                          October 30, 2009\n\n\n\n\n                                                               Member of the American Institute of Certified Public Accountants\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\nImprovements Needed in Information Technology General Controls over OCC\xe2\x80\x99s Financial\nSystems (Repeat Condition).\n\nIn our fiscal year (FY) 2008 audit, we identified weaknesses in the areas of entity-wide security\nprogram planning and management, access controls, service continuity, and application software\ndevelopment and change controls. We reported these weaknesses to management in a\nmanagement letter. In FY 2009, OCC made significant progress in resolving these weaknesses,\nas evidenced in OCC\xe2\x80\x99s Plan of Actions and Milestones (POA&M) and our verification of\ncorrection of many of the prior year issues. Only one (1) out of six (6) issues identified in FY\n2008 remains partially unresolved (see Finding 5 below). The remediation work on this issue\nincluded a phased implementation of Federal Desktop Core Configuration (FDCC) and the\nimplementation of a management control to detect and remove unauthorized software. During\nthe FDCC implementation, OCC determined that administrative rights could not be removed\nwithout significant impact to OCC mission production systems. Treasury has since granted a\nwaiver to OCC for removing administrator privileges. To mitigate the risk impact associated\nwith local administrator privileges, the OCC is currently in an on-going process to research\nalternate methods for preventing the installation of unauthorized software.\n\nWe noted four (4) new areas for improvement in FY 2009. The weaknesses noted in OCC\xe2\x80\x99s IT\ngeneral controls are noted and discussed below.\n\n(A) Security Management and Contingency Planning\n\nAn entity wide information security management program is the foundation of a security control\nstructure and a reflection of senior management\xe2\x80\x99s commitment to addressing security risks.\n\nContingency planning safeguards against losing the capacity to process, retrieve, and protect\ninformation maintained electronically, which significantly affect an agency\xe2\x80\x99s ability to\naccomplish its mission.\n\nIn the FY 2009 audit, we noted that OCC has updated its hiring procedures to require the\ncompletion of an Office of Personnel Management (OPM) Special Agreement Check (SAC) for\nall temporary interns who will be at OCC for less than 6 months as was recommended in our FY\n2008 management letter. None of the findings noted in FY 2008 related to security management\nand contingency planning were repeated in FY 2009. However, we noted a new finding in this\narea which is detailed below together with our recommendation, and management\xe2\x80\x99s response.\n\n1. There are weaknesses in the OCC\xe2\x80\x99s process for updating its Certification and\n   Accreditation (C&A) documentation.\n\n   Specifically, we noted the following:\n\n\n\n\n                                               2\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\n   \xef\x82\xb7   The $MART Risk Assessment has not been updated to reflect changes to the $MART\n       operating environment. Specifically, the upgrade from SQL Server 2000 to SQL Server\n       2005.\n   \xef\x82\xb7   There was no signature page or documentation provided to show that the July 2008\n       $MART Security Plan was approved.\n   \xef\x82\xb7   The $MART Security Plan has not been updated to reflect changes to the $MART\n       operating environment. Specifically, the upgrade from SQL Server 2000 to SQL Server\n       2005.\n   \xef\x82\xb7   The $MART Security Plan does not accurately describe the system\xe2\x80\x99s interconnections.\n       The plan states that there is a peer to peer connection used to transfer data between the\n       OCC and Citibank, and the OCC and the Department of Defense - Central Contractor\n       Registration (CCR). However, there are no direct connections between the OCC and\n       these outside entities.\n   \xef\x82\xb7   The $MART Business Impact Analysis has not been updated to reflect changes to the\n       $MART operating environment. Specifically, the upgrade from SQL Server 2000 to\n       SQL Server 2005.\n   \xef\x82\xb7   The $MART Contingency Plan has not been updated to reflect changes to the $MART\n       operating environment. Specifically, the upgrade from SQL Server 2000 to SQL Server\n       2005.\n   \xef\x82\xb7   The Network Infrastructure General Support System Security Plan identifies Jackie\n       Fletcher as the Authorizing Official. However, Jackie Fletcher was replaced by Bajinder\n       Paul as the Authorizing Official and the document was not updated to reflect the change.\n   \xef\x82\xb7   The Network Infrastructure General Support System Contingency Plan was not updated\n       to reflect testing and lessons learned from the March 2009 testing.\n\nThe OCC does not have a formal process in place to ensure that all C&A documentation is\nupdated to reflect system changes, changes in the operating environment or organizational\nchanges. Additionally OCC is still in the process of updating the network contingency plan to\nincorporate the lessons learned from the last recovery test. However, the OCC Master Security\nControls Catalog, states the following:\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC updates the risk assessment [every three (3) years] or whenever there are\n       significant changes to the information system, the facilities where the system resides, or\n       other conditions that may impact the security or accreditation status of the system.\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC reviews the security plan for the information system [annually] and revises the\n       plan to address system/organizational changes or problems identified during plan\n       implementation or security control assessments.\xe2\x80\x9d\n\n\n\n\n                                               3\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC reviews the contingency plan for information systems [annually] and revises\n       the plan to address system/organizational changes or problems encountered during plan\n       implementation, execution, or testing.\xe2\x80\x9d\n\nOver time, policies and procedures may become inadequate because of changes in threats,\nchanges in operations or deterioration in the degree of compliance. Periodic assessments are\nimportant means of ensuring the effectiveness of policies and controls to reduce risk on an\nongoing basis. Failure to update risk assessments, security plans and contingency plans\nincreases the probability that OCC management may not be aware of how system changes\nimpact the confidentiality, integrity and availability of system data. This may impact OCC\xe2\x80\x99s\nability to recover from disaster situations. This increases the risk that OCC management may not\nhave all of the appropriate information to ensure that appropriate decisions are made regarding\nwhich risks to accept and which to mitigate through security controls.\n\nRecommendations:\nWe recommend that OCC management: (1) implement a process to ensure that C&A\ndocumentation is updated timely in accordance with OCC policy, (2) ensure that approvals of\nC&A documentation are retained, and (3) ensure that the information contained in the\ndocumentation is accurate and reflects the current system operating and organizational\nenvironment.\n\nManagement\xe2\x80\x99s Response:\nThe OCC will document and implement a process to ensure that C&A documentation is\nreviewed on a periodic basis and updated when major changes occur, or as needed. The resulting\nagreed upon process will then be implemented and disseminated to all appropriate stakeholders.\nStakeholders will be trained on their newly defined responsibilities. The C&A documentation\nwill be updated to address the specific examples identified above.\n\n(B) Access Controls\n\nAccess controls should provide reasonable assurance that computer resources (data files,\napplication programs, and computer-related facilities and equipment) are protected against\nunauthorized modification, disclosure, loss, or impairment.\n\nWe noted that OCC has implemented our FY 2008 audit recommendations to document and\nmaintain approved authorization and recertification forms for access to SQL Server database\nrelated to the Financial Management applications; grant database access permissions in\naccordance with the principle of least privilege; and implementing a process, including\nimplementing the Guardium tool, and standard operating procedures (SOP) to periodically\nreview actions performed by database administrators within the $MART database.\n\nNone of the findings noted in FY 2008 related to access controls were repeated in FY 2009.\nHowever, we noted two new findings in this area. Our findings and recommendations, and\n\n\n\n                                               4\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\nmanagement\xe2\x80\x99s responses are detailed below.\n\n2. There are weaknesses in the OCC\xe2\x80\x99s process for periodically reviewing network\n   accounts and disabling access permissions that are no longer required.\n\n   Specifically, we noted the following:\n   a. The number of days requirement for disabling inactive accounts in the $MART and\n      Network Infrastructure Security plans were not consistent with the Master Security\n      Controls Catalog and the Account Management Standard of Operating Procedures.\n   b. There was no evidence to show that unnecessary System Administrator accounts were\n      adequately disabled after the last account recertification.\n   c. OCC network accounts are not being recertified on a monthly basis in accordance with\n      the Master Security Controls Catalog.\n   d. We identified 650 active network accounts that had been inactive for more than 60 days.\n   e. We identified 295 active network accounts that have been configured with passwords that\n      never expire.\n\nWe noted the following causes of the conditions stated above:\n   \xef\x82\xb7   OCC did not ensure that the \xe2\x80\x9cnumber of days\xe2\x80\x9d requirement for disabling inactive\n       accounts was consistent in its procedures and security plans in accordance with agency\n       requirements. Once OCC was notified of this issue, management revised the security\n       artifacts with a requirement of no more than 90 days to bring all 4 documents into\n       alignment. Therefore, we did not make any further recommendations.\n   \xef\x82\xb7   OCC currently does not perform monthly reviews of network accounts. OCC performed\n       a review of system administrator accounts in March 2009 and identified accounts that\n       needed to be removed; however the accounts had not been removed at the time of our\n       audit. OCC is still in the process of removing these accounts.\n   \xef\x82\xb7   OCC does not have a process in place to identify service accounts, exchange accounts\n       and other accounts that are exempt from the requirement to disable inactive accounts.\n       Therefore, some inactive accounts are not appropriately disabled as a part of the weekly\n       review process. Once OCC was notified of the 650 inactive accounts, OCC did its own\n       analysis and determined that only 47 of the accounts were questionable. OCC then\n       disabled the account or validated that it needed to be active.\n   \xef\x82\xb7   OCC does not have a process in place to identify the network accounts that must be\n       configured with a password that never expires. Therefore, some network accounts were\n       erroneously configured with passwords that do not expire. Once OCC was notified of\n       these 295 accounts, OCC did its own analysis and determined that only 82 of the\n       accounts were questionable. OCC then disabled the accounts or validated that they\n       needed to be configured with a password that do not expire.\n\n\n\n                                               5\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\n\nThe OCC Master Security Controls Catalog, states the following:\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC manages information system accounts, including establishing, activating,\n       modifying, reviewing, disabling, and removing accounts. The organization reviews\n       information system accounts [monthly].\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe information system automatically disables inactive accounts after no more than [90\n       days].\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC manages user identifiers by: (i) uniquely identifying each user; (ii) verifying\n       the identity of each user; (iii) receiving authorization to issue a user identifier from an\n       appropriate organization official; (iv) issuing the user identifier to the intended party; (v)\n       disabling the user identifier after [90 days] of inactivity; and (vi) archiving user\n       identifiers.\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC manages information system authenticators by: (i) defining initial\n       authenticator content;(ii) establishing administrative procedures for initial authenticator\n       distribution, for lost/compromised, or damaged authenticators, and for revoking\n       authenticators; (iii) changing default authenticators upon information system installation;\n       and (iv) changing/refreshing authenticators periodically.\xe2\x80\x9d\n\nWeaknesses in access controls increase the risk of inadvertent or deliberate disclosure,\nmodification and destruction of OCC data. Users may have unauthorized or unnecessary access\npermissions to OCC systems and data.\n\nRecommendations:\nWe recommend the following:\n   1. OCC should recertify network access permissions on a monthly basis in accordance with\n      the Master Security Controls Catalog and remove access for individuals that no longer\n      require the access.\n   2. OCC should disable unnecessary network accounts after 90 days of inactivity in\n      accordance with OCC requirements.\n   3. OCC should implement a process to identify, document and approve all network accounts\n      that are exempt from the 90 day inactivity requirement and periodically review these\n      accounts for appropriateness.\n   4. OCC should implement a process to identify, document and approve all network accounts\n      that are exempt from having to automatically enforce password changes and periodically\n      review these accounts for appropriateness.\n\nManagement\xe2\x80\x99s Response:\nThe access controls weaknesses will be addressed as noted below:\n\n\n\n\n                                                 6\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\nResponse to Condition \xe2\x80\x9ca\xe2\x80\x9d \xe2\x80\x93 Number of Days Requirement for Disabling Inactive Accounts: As\nnoted by GKA, the OCC has updated documentation related to access controls to consistently\nreflect the requirement to disable accounts after 90 days of inactivity. No further action is\nrequired.\n\nResponse to Condition \xe2\x80\x9cb\xe2\x80\x9d \xe2\x80\x93 System Administrator Account Management: The OCC initiated a\nTask Order to address the issue of defining and implementing a process over the management of\nprivileged accounts (i.e. creation, deletion, and review/recertification of accounts). The task\norder, which was awarded in September 2009, will focus on analyzing the current state process\nand either improving it or re-engineering it based upon the current state analysis findings. The\nresulting agreed upon procedures will then be implemented and disseminated to all appropriate\nstakeholders. Stakeholders will be trained upon their newly defined responsibilities.\n\nResponse to Condition \xe2\x80\x9cc\xe2\x80\x9d \xe2\x80\x93 Network Accounts Management/Network Account Recertification:\nThe OCC will implement a process to periodically review/recertify network accounts in\naccordance with established OCC requirements. This process will be disseminated to all\nappropriate stakeholders. Stakeholders will be trained on their newly defined responsibilities.\n\nResponse to Condition \xe2\x80\x9cd\xe2\x80\x9d - Disabling Inactive Network Accounts: In FY 2007, a process was\nestablished to review inactive user accounts and disable accounts that reached the 90 day mark\non a weekly basis. The number of inactive user accounts was significantly reduced as a result of\nthis function. In recent months, the review and removal of inactive user accounts occurred with\nless frequency. We intend to reestablish a capability to periodically review all network accounts\nand disable accounts after 90 days of inactivity in accordance with the established requirements.\n\nResponse to Condition \xe2\x80\x9ce\xe2\x80\x9d \xe2\x80\x93 Identify and review Network Accounts Exempt from Inactive and\nPassword Expire Requirements: The OCC will implement a process to identify and periodically\nreview all accounts (e.g. service accounts, exchange accounts, etc.) which are exempt from: (a)\nthe 90 day inactivity requirement, and (b) having to automatically enforce password changes. .\nThis process will be disseminated to all appropriate stakeholders. Stakeholders will be trained on\ntheir newly defined responsibilities.\n\n3. There is currently no process in place to periodically review logs of system\n   administrator activity for the OCC network.\n\nOCC maintains a log of all additions and deletions from the administrator groups on its network.\nThe OCC Incident Response Team reviews these logs to determine if there are any user accounts\nthat do not conform to OCC naming conventions. However, the operations group does not\nperiodically review the logs to ensure that the individuals being added to the administrator\ngroups are actual system administrators who have been authorized to have those access\npermissions.\n\nThe OCC Master Security Controls Catalog, states the following:\n\n\n\n                                                7\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC supervises and reviews the activities of users with respect to the enforcement\n       and usage of information system access controls.\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC regularly reviews/analyzes information system audit records for indications of\n       inappropriate or unusual activity, investigates suspicious activity or suspected violations,\n       reports findings to appropriate officials, and takes necessary actions.\xe2\x80\x9d\n\nFailure to periodically review audit logs increases the risk that unauthorized individuals may\naccess, modify or destroy data without detection. Additionally, management may not be able to\nidentify suspicious or unusual actions that could help detect potential security breaches.\n\nRecommendation:\nWe recommend that OCC implement a process to periodically review logs of system\nadministrator activity on the network.\n\nManagement\xe2\x80\x99s Response:\nAs part of their regular weekly duties, the OCC\xe2\x80\x99s Computer Incident Response Capability\n(CIRC) staff maintains surveillance of privileged account activity looking for non-compliance to\nstandards, add and remove actions and other suspicious activity (based on trends) that would\npresent a risk of unauthorized access. Any issue with suspicious activity is escalated to the\nInformation Resource Management (IRM) Lead for Incident Response. While this responsibility\nis defined in the CIRC Procedures Manual (v4.5 Appendix A), the CIRC\xe2\x80\x99s review criteria and\nprocedures are not formally documented. The OCC will formally document these procedures, in\naddition to developing and implementing a process to provide evidence of the periodic reviews\ncurrently taking place over system administrator activity by CIRC staff.\n\nIt should be noted that an additional layer of system administrator activity review is currently in\nplace to monitor and review actions of database administrators in the $MART database. This\ndatabase logging capability (and associated review process) was implemented in February of\n2009 to address a prior year (FY 2008) finding.\n\n(C) Configuration Management\n\nConfiguration management policies, plans, and procedures should be developed, documented,\nand implemented at the entity wide, system, and application levels to ensure an effective\nconfiguration management process.\n\nDuring the prior year, we recommended that OCC management continue to dedicate resources to\nfully implement the necessary Microsoft System Management Server (SMS) process to\nautomatically and promptly detect and remove unauthorized personal and public domain\nsoftware from OCC systems (desktops) and implement controls to restrict users from\ndownloading and installing unapproved software. The remediation work on this issue included a\nphased implementation of the Federal Desktop Core Configuration (FDCC) and the\nimplementation of a management control to detect and remove unauthorized software. During\n\n\n                                                8\n\x0c                        Office of the Comptroller of the Currency\n                    Management Letter Comments and Recommendations\n                             Year Ended September 30, 2009\n\nthe FDCC implementation, OCC determined that administrative rights could not be removed\nwithout significant impact to OCC mission production systems. Treasury has since granted a\nwaiver to OCC for removing administrator privileges. To mitigate the risk impact associated\nwith local administrator privileges, the OCC is currently in an on-going process to research\nalternate methods for preventing the installation of unauthorized software. We also noted a new\nfinding in this area. Our findings and recommendations, and management\xe2\x80\x99s responses are\ndetailed below.\n\n4. The OCC consolidated inventory of systems was not up-to-date. Specifically, we\n   observed that the C-Cure physical security management system was not included in the\n   inventory.\n\nAt the time of our review, the OCC was not reviewing and updating the consolidated system\ninventory. However, in July 2009, the OCC instituted a quarterly process to review and update\nthe consolidated system inventory and performed the first initial review. Therefore we did not\nmake any further recommendations.\n\nThe OCC Master Security Controls Catalog, states the following:\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC develops, documents, and maintains a current inventory of the components of\n       the information system and relevant ownership information.\xe2\x80\x9d\n   \xef\x82\xb7   \xe2\x80\x9cThe OCC updates the inventory of information system components as an integral part of\n       component installations.\xe2\x80\x9d\n\nEffective configuration management includes the implementation of processes to maintain and\nkeep current an accurate comprehensive baseline inventory of hardware, software, and firmware.\nFailure to incorporate components in the inventory increases the risk that sensitive components\nmay not be adequately identified and monitored for patch levels. Additionally, if sensitive\ncomponents are not on management\xe2\x80\x99s radar, then they may not have adequate security controls\nin place to ensure that they are not targeted to exploit vulnerabilities\n\nRecommendations:\nBefore the end of our fieldwork, the OCC reviewed and updated the consolidated system\ninventory in order to remediate this deficiency. Therefore we did not make any further\nrecommendations.\n\nManagement\xe2\x80\x99s Response:\n\nAs part of the continuous improvement process, in mid 2009, ITS identified an opportunity to\nincrease the accuracy and reliability of information contained in the Application System\nInventory (ASI) portion of the OCC\xe2\x80\x99s Agency Metadata Repository (AMR). Specifically, ITS\nreviewed the current fields/attributes of the ASI and identified several fields/attributes as critical\nelements of the change, configuration and release management decision-making process. The\n\n\n\n                                                  9\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2009\n\ncritical fields and associated information were baselined and used as a reference during the first\nof ongoing quarterly audits. The first quarterly audit was completed on September 16, 2009.\nPreliminary audit numbers indicate that an average of 11 attributes (26%) of each of the 135\napplications were either updated or added as a result of the audit process. ITS recognizes the\nneed for accurate and timely information, and proactively seeks to reduce risks and increase\nreliability of services through continuous review and improvement process.\n\n5. Although, the OCC has implemented a process to detect unauthorized software, OCC\n   users still have local administrator privileges on their individual workstations without\n   any mitigating controls to prevent them from installing software at will.\n\nOCC has currently implemented the Microsoft System Management Server (SMS) system,\nwhich provides patch management, software distribution, and hardware and software inventory\ncapabilities for OCC systems. OCC piloted a process for detecting and removing all\nunauthorized software from OCC systems and determined that the process was too time\nconsuming. Therefore, OCC implemented a scaled down version of the process where they\nidentify, detect and work to remove 5 to 10 unauthorized software versions on a quarterly basis.\nHowever this process does not detect all versions of unauthorized software. Additionally, users\nhave local administrator privileges on their workstations which would allow them to re-install\nthe software at will. OCC plans to fully address this issue by implementing a software solution,\nas a part of the technology refresh that allows management to \xe2\x80\x9cwhite list\xe2\x80\x9d authorized software\nand prevent any unauthorized software from running.\n\nNIST Special Publication 800-53, Recommended Security Controls for Federal Information\nSystems, User Installed Software states:\n\n   \xe2\x80\x9cControl: The organization enforces explicit rules governing the installation of software by\n   users.\n\n   Supplemental Guidance: If provided the necessary privileges, users have the ability to\n   download and install software. The organization identifies what types of software downloads\n   and installations are permitted (e.g., updates and security patches to existing software) and\n   what types of downloads and installations are prohibited (e.g., software that is free only for\n   personal, not government, use). The organization also restricts the use of install-on-demand\n   software.\xe2\x80\x9d\n\nThe use of unapproved software by employees could negatively impact processing operations,\nintroduce harmful viruses, and/or cause the loss of data.\n\nRecommendation:\nWe recommend that OCC management continue with its plans to implement a software solution\nto restrict users from installing and executing unauthorized software on OCC workstations.\n\n\n\n\n                                               10\n\x0c                        Office of the Comptroller of the Currency\n                    Management Letter Comments and Recommendations\n                             Year Ended September 30, 2009\n\nManagement\xe2\x80\x99s Response:\nAlthough this is a repeat finding, it should be noted that the remediation work outlined in the\nmanagement response for the prior year finding (FY2008 IT-02) was completed and reviewed by\nthe GKA auditors during the FY 2009 cycle. Remediation work included a phased\nimplementation of Federal Desktop Core Configuration (FDCC) and the implementation of a\nmanagement control to detect and remove unauthorized software.\n\nAs a result of rigorous testing conducted by the OCC\xe2\x80\x99s Enterprise Test Lab during the FDCC\nimplementation, it was determined that administrative rights could not be removed without\nsignificant impact to OCC mission production systems. Due to this, the OCC submitted a request\nto Treasury for 11 FDCC deviations, one of which was a waiver for removing administrator\nprivileges. Treasury reviewed and approved this request in their July 1, 2009 FDCC Deviation\nApproval memo to the OCC, which was provided to the GKA auditors.\n\nTo mitigate the risk impact associated with local administrative privileges, the OCC is currently\nin an on-going process to research alternate methods for preventing the installation of\nunauthorized software; including the use of special software that enables white-listing of\ninstallations. If a technical solution is not feasible in FY 2010, ITS will conduct a risk assessment\nthat will be the basis of a risk acceptance memo should Business units choose to accept the\nresidual risk associated with this issue.\n\n\n\n\n                                                 11\n\x0c'